This is in no way a Firewall issue. Fail2ban is not the Firewall. They are two completely different things.
This was a block due to it being anonymous that has nothing to do with it being TLS or not TLS. As well fail2ban will only block things once they have done X in Y time. It is not a firewall in a preventive manner. It waits for something bad to happen and then it does stuff.
The actually System Firewall would be a completely different beast and it is Deny All by default. Are you running the System Firewall?
I think you misunderstand, there was NO block. That’s the problem. And I updated the fail2ban rule myself to detect TLS and it works. Yes the firewall is enabled.
My expectation is that a security event like this will trigger a ban on that ip address. That works now that I added the TLS selector to the rule.